Incident: Hotel Door Locks Hacked for Ransom in Austria, IoT Vulnerability

Published Date: 2017-12-14

Postmortem Analysis
Timeline 1. The software failure incident at Seehotel Jagerwirt in Austria happened between December 2016 and January 2017 [66029].
System 1. Electronic door locks and other systems at Seehotel Jagerwirt in Austria's Alps [66029] 2. Smart fish tank at a US casino [66029]
Responsible Organization 1. Cybercriminals who hacked the Austrian hotel's electronic door locks and systems for ransom [66029] 2. Unknown hackers who targeted a US casino's smart fish tank to gain access to the firm's wider network [66029]
Impacted Organization 1. Seehotel Jagerwirt in Austria's Alps [66029] 2. A US casino with a smart fish tank [66029]
Software Causes 1. Ransomware attack through a phishing email disguised as a bill from Telekom Austria, leading to the hotel's electronic door locks becoming unusable and hard drive being affected [66029]. 2. Hackers gaining access to a US casino's network through a smart fish tank connected to the internet, allowing them to steal data and move laterally within the organization [66029].
Non-software Causes 1. Lack of cybersecurity measures in place at the hotel, such as firewalls and antivirus software [66029]. 2. Human error leading to clicking on a malicious link in an email [66029]. 3. Lack of awareness and training among staff to recognize phishing emails [66029]. 4. Inadequate security measures in IoT devices, such as the smart fish tank in the US casino [66029].
Impacts 1. The hotel's electronic door locks and other systems were hacked for ransom four times, leading to unusable door keys and hard drive, resulting in a payment of two bitcoins as ransom [66029]. 2. The incident led the hotel to install firewalls, new antivirus software, and train staff to recognize phishing emails, as well as revert back to traditional metal keys for guest rooms [66029]. 3. The incident highlighted the vulnerability of IoT devices, with examples like a casino's smart fish tank being hacked to access the firm's wider network, leading to the theft of data [66029]. 4. The incident showcased the potential for hackers to compromise the integrity of data, subtly changing it to influence decisions or impact share prices [66029]. 5. The incident emphasized the need for improved cybersecurity measures, such as monitoring network behavior using machine learning algorithms to detect unusual activities and potential attacks [66029].
Preventions 1. Implementing strong cybersecurity measures such as firewalls, antivirus software, and staff training to recognize phishing emails [66029]. 2. Moving back to traditional metal keys for door locks instead of relying solely on electronic systems [66029]. 3. Utilizing real-time behavioral monitoring systems powered by deep learning algorithms to detect unusual network activity and potential IoT attacks [66029].
Fixes 1. Implementing firewalls and new antivirus software to enhance cybersecurity measures [66029]. 2. Training staff to recognize phishing emails that may contain malware [66029]. 3. Moving back to traditional metal keys for door locks instead of electronic systems [66029]. 4. Monitoring network behavior using machine learning algorithms to spot unusual activity and potential attacks [66029]. 5. Developing and implementing minimum smart device security standards to ensure better security for IoT devices [66029].
References 1. Christoph Brandstatter, managing director of Seehotel Jagerwirt in Austria [66029] 2. Mike Lloyd, chief technology officer at Silicon Valley cybersecurity firm RedSeal [66029] 3. Jason Hart, chief technology officer for Dutch digital security firm Gemalto [66029] 4. Eli David, co-founder of Tel-Aviv-based cybersecurity firm Deep Instinct [66029] 5. Rik Ferguson, vice president of cybersecurity firm Trend Micro [66029] 6. Raphael Crouan, secretary of the EC's Alliance for Internet of Things Innovation [66029] 7. Dave Palmer, technology director at UK threat intelligence firm Darktrace [66029]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: The article reports that Seehotel Jagerwirt in Austria experienced a ransomware attack on their electronic door locks and other systems multiple times between December 2016 and January 2017. The hotel's door keys became unusable after clicking on a link in a ransomware email hidden in a bill from Telekom Austria. As a result, the hotel paid a ransom of two bitcoins to regain access to their systems. This incident led the hotel to enhance its cybersecurity measures, including installing firewalls, new antivirus software, and training staff to recognize phishing emails [66029]. (b) The software failure incident having happened again at multiple_organization: The article mentions another incident where a US casino's smart fish tank, connected to the internet, was hacked and used to gain access to the casino's wider network. The hackers were able to steal data from the casino's computers and store it on a device in Finland. This incident highlights the vulnerability of IoT devices to cyber attacks and the potential risks associated with interconnected systems [66029].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the article where the Austrian hotel, Seehotel Jagerwirt, experienced multiple hacks on their electronic door locks and other systems. The incident occurred due to vulnerabilities in the system's design, allowing hackers to exploit these weaknesses for ransom [66029]. (b) The software failure incident related to the operation phase is evident in the same article where the hotel's door keys became unusable after the managing director clicked on a link in an email, leading to the system being compromised. This failure was a result of the operation or misuse of the system by interacting with malicious content [66029].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident at Seehotel Jagerwirt in Austria, where the electronic door locks and other systems were hacked for ransom four times, was a result of factors originating from within the system. The ransomware mail was hidden in a bill from Telekom Austria, and clicking on a link in the bill led to the hotel's door keys becoming unusable and the hard drive being affected [66029]. (b) outside_system: The incident involving a US casino's smart fish tank being hacked and used to gain access to the firm's wider network demonstrates a software failure incident with contributing factors originating from outside the system. The hackers were able to steal data from the casino's computers by exploiting vulnerabilities in the internet-connected fish tank, highlighting the risk posed by external factors in such incidents [66029].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: The incident at Seehotel Jagerwirt in Austria involved the hotel's electronic door locks and other systems being hacked for ransom four times between December 2016 and January 2017. The ransomware mail was hidden in a bill from Telekom Austria, and clicking on a link in the email led to the hotel's door keys becoming unusable and the hard drive being affected [66029]. (b) The software failure incident occurring due to human actions: In response to the hacking incidents, the managing director of Seehotel Jagerwirt took actions such as installing firewalls, new antivirus software, and training staff to recognize phishing emails. Additionally, the hotel moved back to traditional metal keys as a security measure [66029].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware can be seen in the article where the Austrian hotel's electronic door locks and other systems were hacked for ransom four times [66029]. This incident was a result of hackers gaining unauthorized access to the hotel's systems through the internet, which can be considered a hardware-related failure as the physical devices (door locks, keycard systems) were compromised. (b) The software failure incident related to software can be observed in the same article where the hotel's door keys became unusable after clicking on a link in a ransomware email, and the hard drive was also affected [66029]. This incident highlights a failure originating in software, specifically through the malware embedded in the email that caused the system to malfunction.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in Article 66029 is malicious in nature. The incident involved the Austrian hotel, Seehotel Jagerwirt, being hacked four times for ransom between December 2016 and January 2017. The hotel's electronic door locks and other systems were compromised by ransomware, leading to the door keys becoming unusable and the managing director having to pay a ransom in bitcoins to regain control [66029]. Additionally, the incident involving a US casino's smart fish tank being hacked to gain access to the wider network is another example of a malicious software failure incident. The hackers were able to steal data from the casino's computers through the compromised fish tank, demonstrating a targeted and insidious attack [66029].
Intent (Poor/Accidental Decisions) poor_decisions (a) In the software failure incident reported in Article 66029, poor decisions contributed to the incident. The hotel manager, Christoph Brandstatter, mentioned that they had no plan on what to do when they were hacked because they did not think anyone would be interested in hacking them as a small business [66029]. Additionally, the incident involved the hotel paying a ransom of two bitcoins to regain control of their systems after being hacked, indicating a reactive response rather than a proactive security measure in place [66029].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident occurring due to development incompetence: The incident at Seehotel Jagerwirt in Austria, where the hotel's electronic door locks and other systems were hacked for ransom four times, can be attributed to a lack of professional competence in terms of cybersecurity measures. The managing director mentioned that as a small business, they did not have a plan for such hacking incidents, indicating a lack of preparedness [66029]. (b) The software failure incident occurring accidentally: The incident involving a US casino's smart fish tank being hacked and used to gain access to the firm's wider network can be considered a case of accidental software failure. The hackers were able to exploit the fish tank's internet connectivity to infiltrate the casino's systems, showcasing how vulnerabilities in seemingly harmless devices can lead to unintended consequences [66029].
Duration temporary (a) The software failure incident mentioned in the articles is more of a temporary nature. The incident at Seehotel Jagerwirt in Austria, where the electronic door locks and other systems were hacked for ransom four times between December 2016 and January 2017, resulted in the hotel's door keys becoming unusable after clicking on a link in a ransomware email [66029]. This incident was temporary in nature as it was caused by specific hacking events and was not a permanent failure due to inherent flaws in the system.
Behaviour omission, value, byzantine, other (a) crash: The incident at Seehotel Jagerwirt involved a ransomware attack that caused the hotel's electronic door locks and other systems to be hacked for ransom, rendering the door keys unusable and the hard drive inoperable [66029]. (b) omission: The incident at Seehotel Jagerwirt resulted in the hotel's door keys becoming unusable after clicking on a link in a ransomware email, leading to the omission of the intended function of the electronic door locks [66029]. (c) timing: There is no specific mention of a timing-related failure in the provided article. (d) value: The incident at Seehotel Jagerwirt involved a ransomware attack that caused the hotel's door keys to become unusable, resulting in the system performing its intended functions incorrectly [66029]. (e) byzantine: The incident involving the US casino's smart fish tank being hacked and used to gain access to the firm's wider network showcases a more targeted and insidious attack, where hackers were able to steal data and move laterally within the organization, indicating a byzantine behavior [66029]. (f) other: The article mentions the use of machine learning algorithms by cybersecurity firms like Deep Instinct to monitor network behavior and spot unusual activity, which could fall under the category of 'other' behavior not explicitly described in options (a) to (e) [66029].

IoT System Layer

Layer Option Rationale
Perception sensor, processing_unit, network_communication, embedded_software (a) sensor: The incident at Seehotel Jagerwirt involved the hacking of electronic door locks, which could be considered as a failure related to the sensor layer of the cyber physical system. The electronic door locks were compromised, leading to the hotel being hacked for ransom multiple times [66029]. (b) actuator: The incident at Seehotel Jagerwirt did not specifically mention any failure related to the actuator layer of the cyber physical system. (c) processing_unit: The incident at Seehotel Jagerwirt involved the hacking of the hotel's systems, including the electronic door locks and hard drive, which could be considered as a failure related to the processing unit layer of the cyber physical system. The ransomware attack affected the functionality of these systems, leading to the hotel being hacked for ransom multiple times [66029]. (d) network_communication: The incident at Seehotel Jagerwirt involved the hotel's systems being hacked, which could be considered as a failure related to the network communication layer of the cyber physical system. The ransomware attack was initiated through a phishing email containing malware, highlighting a vulnerability in the network communication aspect of the system [66029]. (e) embedded_software: The incident at Seehotel Jagerwirt involved the hacking of the hotel's electronic door locks and systems, which could be considered as a failure related to the embedded software layer of the cyber physical system. The ransomware attack exploited vulnerabilities in the software, leading to the hotel being hacked for ransom multiple times [66029].
Communication connectivity_level The failure incident reported in the articles is related to the connectivity level of the cyber physical system that failed. The incident involved the hacking of the Austrian hotel's electronic door locks and other systems, which were compromised through phishing emails containing ransomware [66029]. Additionally, the incident at a US casino where a smart fish tank was hacked to gain access to the wider network also highlights the vulnerability of connected devices at the network or transport layer [66029]. These examples demonstrate failures at the connectivity level of the cyber physical system.
Application TRUE The software failure incident reported in the provided article [66029] was related to the application layer of the cyber physical system. The failure was caused by the hotel's electronic door locks and other systems being hacked for ransom four times between December 2016 and January 2017. The incident involved ransomware hidden in a bill from Telekom Austria, which led to the hotel's door keys becoming unusable after clicking on a link in the bill. Additionally, the incident resulted in the hard drive being affected, indicating a failure at the application layer due to cybersecurity vulnerabilities introduced by bugs and malware [66029].

Other Details

Category Option Rationale
Consequence property, non-human (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident described in the article resulted in property being impacted. In the case of Seehotel Jagerwirt in Austria, the hotel's electronic door locks and other systems were hacked for ransom four times, causing the door keys to become unusable and the hard drive to be affected. The hotel had to pay a ransom of two bitcoins to regain access to their systems [66029]. Additionally, a US casino's smart fish tank was hacked, allowing hackers to steal 10 gigabytes of data from the casino's computers and store it on a device in Finland [66029].
Domain information, utilities, health, other (a) The failed system in the article was related to the information industry as it involved a hotel's electronic door locks and other systems being hacked for ransom [66029]. (g) The incident also touches upon the utilities industry as it mentions a US casino's smart fish tank being hacked, which could regulate its own salinity, temperature, and feeding schedules [66029]. (j) The health industry is indirectly referenced in the article as it mentions the potential risks associated with IoT devices like keycard locking systems and coffee makers being connected to the internet, which could pose security threats [66029]. (m) The incident also relates to the "other" category as it discusses the broader implications of IoT devices being hacked, affecting various industries and potentially leading to data breaches and network infiltrations [66029].

Sources

Back to List